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Abstract 

We design a probabihstic algorithm for computing endomorphism rings 
of ordinary elliptic curves defined over finite fields that we prove has a 
subexponential runtime in the size of the base field, assuming solely the 
generalized Riemann hypothesis. 

Additionally, we improve the asymptotic complexity of previously 
known, heuristic, subexponential methods by describing a faster isogeny- 
computing routine. 

1 Introduction 

Endomorphism rings of ordinary elliptic curves over finite fields are central 
objects in complex multiplication (CM) theory; as such, they appear in various 
computational number-theoretic contexts. For instance, the CM method for 
generating curves with a prescribed number of points relies on evaluating so- 
called Hilbert class polynomials, for which the state-of-the-art algorithm of [TH] 
requires an endomorphism-ring-computing subroutine. They are also potentially 
relevant security parameters in certain cryptographic applications. 

They were first studied by Kohel |12j who, assuming the generalized Riemann 
hypothesis (GRH), gave a deterministic method for computing them in time 
(9(gi/3-i-e) where q is the cardinality of the base field. Recently, a probabilistic 
algorithm with subexponential complexity in log q was obtained in [2] by relying 
on several additional assumptions; its runtime is 

L(9)^/^+°(^' where L{x) = exp ^/logxlogloga;. 

Here, we describe a variant of this method that computes endomorphism 
rings in proven probabilistic subexponential time, assuming only the GRH; it 
"ascends" the lattice of orders in a generic manner, and "tests" orders using 
their class group structure. The lattice-ascending procedure is suited to work in 
general number fields, which is a necessary step for generalizing this algorithm 
to higher-dimensional abelian varieties; for now, only the method of Eisentrager 
and Lauter and that of Wagner [20] apply to this setting but they are both 
of exponential nature. To prove the complexity of the order-testing method, 
we adapt material from Seysen [TB] and proofs due to Hafner and McCurley 
[5] to make use of a sharp bound derived from the GRH by Jao, Miller, and 
Venkatesan [TI] Corollary 1.3]. 



Additionally, we use a more direct, faster isogeny-computing routine than [5] 
which allows us to bring down the exponent in the complexity. Explicitly, on 
input an ordinary elliptic curve £ defined over a finite field our main algorithm 
outputs the structure of its endomorphism ring End £ in proven (under the GRH) 
probabilistic time 

i(g)i+°(i)+L(g)i/^+°(i) 

where the first term only accounts for the cost of factoring of a certain integer 
less than Aq using the state-of-the-art proven method of Lenstra and Pomerance 
|14| : in other words, apart from that factorization, we were able to adapt and 
prove under the GRH all parts of the heuristic subexponential method above 
while improving its asymptotic complexity. 

Section [2] fixes notations on endomorphism rings and orders. Section [3] then 
presents the order-testing method using "relations" . Section |4] gives the direct- 
but-fast isogeny-computing routine. Section [5] describes our lattice-ascending 
procedure and main algorithm. Section [6] proves that class groups are character- 
ized by short relations. Section [7] finally shows how orders are determined by 
their class groups. 

2 Background 

Let £ be an ordinary elliptic curve defined over a finite field Fg. The Frobenius 
endomorphism tt acts on geometric points of £ by raising their coordinates to 
the q^^ power; its characteristic polynomial x-n {x) is of the form — tx + q and 
computing the integer t is equivalent to finding the number of points on the 
curve, namely Xir(l)- Schoof showed in |15j how this can be done in deterministic 
polynomial time in the size of the base field, logq. 

Many endomorphisms stem from the Frobenius endomorphism, as Deuring 
proved in that Q ® Endf ~ Q(7r). Since the number field K = Q[x]/(x7r(a;)) 
is isomorphic to Q(7r), by computing the trace t we have already determined the 
endomorphism ring "up to fractions" . From now on, we make this isomorphism 
implicit by setting tt = xj^ 

The number field K is called the CM field of £\ the implicit isomorphism 
maps End£ to an order in K so we have 

Z[7r] C End 5 C Ok 

where Ok is the ring of integers of K. Conversely, Waterhouse proved in [2T| 
Theorem 4.2] that all orders containing Z[7r] arise as endomorphism rings. The 
index [Ok ■ is essentially the square part of the discriminant A — t'^ ~ Aq; 
this measures how broad the search-range is: in the worst case, it can be 
exponential (in log q) . 

The orders of K containing Z[tt] form a finite lattice (in the set-theoretic 
sense) where Ok is the maximal order, Z[7r] the minimal one, and Endf lies in 
between. Unfortunately it might have exponentially many orders so we need to 
devise a better way of finding Endf than testing each in turn; this is the purpose 
of the lattice-ascending algorithm of Section [s] which tests only polynomially 
many orders. For those orders O, we "test" whether O C End£ with the 
methodology of Section [3] which we develop in Sections |6] and [7| 

^The conjugate of x might equivalently be taken as tt; this choice just needs to be made 
once and for all. 
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3 The CM approach 



We now present the approach of [2 to testing whether O C Endf in a 
somewhat more abstract flavor. For the theory of imaginary quadratic orders, 
we refer to [5] . 

In this paper, it is imphcitly understood that we exclusively consider ideals 
of norm coprime to A, so that their images in Z[7r] are unramified and invertible. 
Since every (invertible) ideal class of each order containing Z[7r] has a represen- 
tative of this type, this has no effect on our use of class groups, which arises 
from the following result of CM theory. 

Theorem 3.1. When a is an ideal ofEndS, denote by (pa the isogeny with 
kernel HaGa kera. The ideal class group cl{0) acts faithfully and transitively on 
the set of isomorphism classes of elliptic curves with endomorphism ring O by 

Intuitively, the structure of the class group dictates that of the isogeny graph; 
hence, by looking at the latter, we might deduce things on the former and obtain 
information about the endomorphism ring. This action is effective, as embodied 
in Proposition |4.4| In this setting, we formalize the notion of "structure" by the 
following concept. 

Definition. We define relations as multisets of ideals o/Z[7r]. We say that 
a relation R holds in an order O (or that it is a relation oi O) if the product 
riaeJ?. is trivial in 01(0); we say that it holds in the isogeny graph if the 
composition of the isogenics (pa End £ for a G R fixes £ . 

The theorem implies that a relation holds in End £ if and only if it holds in 
the isogeny graph, which gives a way to tell the endomorphism ring apart from 
other orders of the lattice (we will see in the next section that pa End £ can be 
computed without knowing End£). 

To avoid testing all orders, we rely on this simple result from .5, Chapter 7]: 

Lemma 3.2. // a relation holds in some order, it also does in all orders con- 
taining it. 

Intuitively, as we ascend the lattice of orders, more and more relations hold, 
which also translates into class groups getting smaller. This is why we chose 
Z[7r] to be the ring of our ideals: via the morphism a aO we can map ideals 
of Z[7r] to any order above in a way that induces surjective morphisms of class 
groups. 

To search for the endomorphism ring F,nd£ in the lattice, we will "test" 
whether orders O lie below it by selecting relations of them and checking whether 
they hold in the isogeny graph. Before we describe that procedure in detail, let 
us mention how to compute isogenics. 

4 Computing the CM action 

To make use of Theorem |3.1[ we need to work with isomorphism classes 
of elliptic curves; for this, we rely on [SJ Proposition 14.19] which states that 
two ordinary elliptic curves are isomorphic if and only if their cardinalities and 
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j-invariants are the same. Computing the cardinahty takes polynomial time, 
and since the j-invariant is a rational function in the coefficients of a Weierstrass 
equation, it does not take longer to evaluate it. In the following, it is implicitly 
understood that we work with isomorphism classes via this representation. 
To evaluate the action (j>a{£) of an ideal a, we combine classical tools: 

Algorithm 4.1. 

Input: An elliptic curve £/¥q with Frobenius polynomial Xrr md an ideal a. 
Output: The isogenous elliptic curve 4>ai£)- 

1. Find a basis (Pi) of the £ -torsion of £ over¥gi-i where £ = norm (a) . 

2. Write the matrix M of the Frobenius endomorphism on the basis (Pi). 

3. Compute the eigenspaces of M € Mat2(Z/£Z). 
4-. Determine which is the kernel of the isogeny (p^. 
5. Compute this isogeny. 

Step 5 computes (pa from its kernel, which Vein's formulae (THj do in 0{£) 
curve operations over F^e-i. Step 4 relies on an idea from the SEA algorithm 
found in [HI Stage 3]: 

Proposition 4.2. Let a be an ideal ofO of prime norm £; write it as £0 + u{n)0 
where the polynomial u is an irreducible factor of Xtt mod £. The characteristic 
polynomial of the restriction to the kernel of (pa of the Frobenius endomorphism 
is u. 

Since the map a i— )■ aO from ideals of Z[7r] preserves their norm £ and 
polynomial u, there is no need to know O to compute pao] this is particularly 
useful for O = End£. 

Step 2 decomposes 7r(Pi) as X]je{i 2} ^'^ij^j for which a baby-step giant-step 
approach requires 0{£) operations in f/F^f-i. Step 3 is classical and takes 
quasi-linear time in log^; it outputs the F^-rational subgroups of isomorphic 
to Z/£Z. 

Finally, Step 1 uses the fact that points of rational subgroups of order £ are 
necessarily defined over an extension of degree £ — 1; it proceeds by selecting 
random ^'^-torsion points over this extension and lifting one along the other to 
obtain independent ^-torsion points. This idea originates from '4', Theorem 1] to 
which we refer for details. 



Algorithm 4.3. 



Input 
Output 

a 
b 

c 



d. 
e 
/• 
9- 



An elliptic curve £/¥q with Frobenius polynomial Xtt and a prime £. 
A basis of the £-torsion £[£] of £ over F^f-i. 

Decompose f^£{¥qi-i) as m£^ where £\m. 

Let P and Q be m times random points of £{¥gi-i); 

Compute the order £'''' of P and £*''^ of Q and assume kp > kq. 

Precompute the table [i,i£^''^^P) for i e 1/£Z. 

For j from kq — 1 down to 1 ; 

If£3Q = i£^p-^P for some i, set Q ^ Q - i£'"'-^-^P. 

If Q = Os then go back to Step b. 
Return {£^p-'^P,£^Q-^Q). 

e-i 



The cardinality of £(¥ge-i) can be computed as ReSx{xTTix),x — 
since it is 0{q^), extracting random points of it and multiplying them by m 
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requires 0{£\ogq) operations in W^e-i. Similarly, both kp and kg are bounded 
hy k = 0{£\ogq). The lookup in Step f is neghgible if an efficient data structure 
such as a red-black tree is used to store the precomputed table of Step d. Finally, 
the probability of going back to Step b is 0{l/£) as proven in [4]. 

Using fast arithmetic, operations in F^^-i take at most (^logg)^+°(^^ time, 
so we have: 



Proposition 4.4. Algorithm 4-1 returns the curve 4>aEnd£{£) isogenous to 
a prescribed curve f /Fq in probabilistic time 0{P^°^^^ log^^"*-""^-* q), where £ = 
norm (o). 



5 Ascending the lattice of orders 

Orders in an imaginary quadratic field K are of the form Z + /Ok for some 
f € N known as the conductor; inclusion of orders corresponds to divisibility of 
conductors. Those orders we are interested in contain Z[tt] so their conductors 
divide the index [Ok : Z[7r]]. 

We will be ascending the lattice of orders one step at a time: each step 
consists in enumerating all orders lying directly above a prescribed order, that 
is, containing it with prime index £. The possible values for £ are the prime 
factors of [Ok ■ ^[i"]] which can be listed by factoring (the square-part of) the 
discriminant A, for which the state-of-the-art proven method of Lenstra and 
Pomerance |14j uses L(g)^"''°'^' operations. Enumerating orders above (resp. 
below) then simply amounts to dividing (resp. multiplying) the conductor by 
the possible £'s; naturally, since our orders are to contain Z[7r], this is subject to 
the condition that the conductor remains a factor of the index [Ok ■ ^M]- 

Our strategy to locate the endomorphism ring in this lattice by testing orders 
and ascending in corresponding directions works as follows: given some order O' 
contained in End£ (we start with O' = Z[7r]), find some order O directly above 
O' which lies below Endf ; then replace O' by O and iterate the process. The 
ascension ends when no O is contained in End£; then, we must have End£ ~ O'. 
See Figure [l] where we start from the bottom and ascend towards orders O for 
which the statement O C Endf holds. 

We formalize this procedure into: 

Algorithm 5.1. 

Input: An ordinary elliptic curve £ over a finite field F^. 
Output: An order isomorphic to the endomorphism ring of £ . 

1. Compute the Frobenius polynomial Xti{x) of £ . 

2. Factor the discriminant A and construct the order O' ~ TL\k\. 

3. For orders O directly above O' : 

4. IfOC End£ set O' ^ O and go to Step 3. 

5. Return O' . 

Steps 1 and 2 are classical and only require polynomial time in log except 
the factorization of A which takes L(g)^+°^^^ time. Under the GRH, we will 
later prove: 
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Figure 1: Locating Endf by ascending a test-sequence of orders. 

Proposition 5.2 (GRH). Let O he an order above Z[tt]. One can determine 
whether O C Endf in probabilistic time L{q)^/^~^°^^^ with failure probability 

o{i/Wq). 

The number of orders directly above Z[7r] (to be tested in Step 4) is the 
number of prime factors of [Ok ■ ^i""]] and it decreases as O' grows; the number 
of ascending steps (of times Step 3 is reached) is bounded by the sum of the 
exponents in the factorization of [Ok '■ ^[i"]] into prime powers. These two 
quantities are smaller than log2 A so the overall number of tests is at most 
quadratic in log 5. As a consequence, we have: 

Theorem 5.3 (GRH). The endomorphism ring of an ordinary elliptic curve 
defined overWq can be computed, with failure probability o(l), in probabilistic time 
L{qy'^°^^"' + L{q)^^^'^°^^"' where the first term only accounts for the complexity 
of factoring the discriminant A = 0{q). 

The output may be unconditionally verified using the certification method 
of [H Section 3.2]. This probabilistic procedure can be adapted to use the 
isogeny-computing routing of Section |4] and the proof material of Section [6) 
under the GRH, it then requires L(g)^/^^+°(-'^) operations. As a result, we obtain 
an algorithm for which the above theorem holds without the "failure probability" 
statement; this is sometimes called a Las Vegas algorithm. 

The rest of this paper is devoted to the proof of Proposition |5.2[ 

6 Class groups from short relations 

To test whether O C End £ reliably, we characterize O by a set of relations 
R that hold in it but not collectively in any order of the lattice not containing it. 
We will then test whether they hold in the isogeny graph, so we seek relations 
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R for which the (quasi-) quadratic cost of computing the associated isogeny 
^ijg^ norm (a) is small. 

We start by bounding the norms of ideals to appear in our relations: form 
the set B of prime ideals p of Z[7r] with norm less than some integer N to be 
fixed later, and consider smooth ideals 

pee 

for vectors n € iP . If CTo{n) denotes the corresponding ideal class in cl(C'), the 
kernel of the map ao is a lattice Kq in consisting of all relations of O formed 
of ideals in B: the coordinate rip is the multiplicity of the ideal p in the relation. 
When ao is surjective, we have 

cl(C') ~Z^/Ao. 

Nothing of value is lost by only considering relations R of Kq since, assuming 
the GRH, Bach proved in [1] that ao is indeed surjective provided that N > 
121og2|A|. 

The isogeny chain associated to a relation n G comprises at most = 
^ I rip I isogenics of degree up to N so the complexity of evaluating it is crudely 
bounded by ||n||iA^2+o(i)^ r^^ns norm can be controlled by a result of Jao, 
Miller, and Venkatesan [H, Corollary 1.3] and more specifically its following 
specialization found in [3] Theorem 2.1]. 

Theorem 6.1. Under the GRH, for all positive numbers e there exists a constant 
c > 1 such that, for any imaginary quadratic order O of discriminant D and 
integers N > log^^'^ \D\ and 

,^ log 1^1 



'loglog|i?|' 

the probability, for random vectors n £ lP of norm I, that the ideal class aa{n) 
falls in any subset S of cl(C') is at least ^ :ff:ti{0) ' 

Corollary 6.2 (GRH). For N = log^+' \D\ the diameter of the lattice Aq is 

Proof. To prove this, we construct a generating set for Ao formed by 0(log^^' \D\) 
relations of norm o(log^ Siegel showed in [17] that cl(C') is an abelian 

group of order _d1/2+°(i) so there exist 0(log|D|) ideal classes at such that 
I Ao — Y\{cti); we fix these and proceed to write a generating set for Ao 
consisting of: 

• relations expressing that q,"'^'^''"'^ = l- 

• relations expressing the primes p G S in terms of the a^. 

First define a map a^^ by fixing a preimage of norm at most clog |£)|/loglog \D\ 



for each ideal class; it exists by Theorem 6.1 Now use a double-and-add approach 



to ensure that norms remain small: for each i, express that a™'^*^"''' = 1 by the 
relations 
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(i) ("f ) - 20-^,^ ("^' ') i e {!' ■ • • ' Llog2ord(a,)J}; 

(ii) J2j t'j'^o^ ("^^0 denotes the j"^ least significant bit of ord(ai). 

Now write eacfi p G S on tlie by decomposing its class as a product Y[ 
where rii S {0, . . . , ord(ai)}; noting 5p the vector with coordinate one at p and 
zero elsewhere, this gives the relations: 

(iii) 5p — J2i J2j '^ij'^o^ ("^^0 ^'^^'"^ '^^1 ■'^^ least significant bit of n,. 

Preimages by ao have length o(log \D\) and there are at most X]Llog2 ord(ai)J — 
0(log \D\) terms, therefore each such relation has length o(log l-D])^. □ 

To generate short relations, we simply plug this bound into the algorithm 
of Seysen [16] and rely on ingredients of Hafner and McCurley [9j for the proof. 
Note that Childs, Jao, and Soukharev proposed a similar algorithm for finding 
one relation, while we seek several random relations in order to characterize the 
order O. 

Algorithm 6.3. 

Input: An imaginary quadratic order O of discriminant D . 
Output: A quasi-random relation n e Aq with \\n\\i = o(log^^' |_D|). 

1. Form the set B of primes p of O with norm less than N = L{qY . 

2. Draw uniformly at random a vector x € lP with coordinates 
Ixpl < log'^+' \D\ i/norm(p) < \og^+^ \D\, else Xp = 0. 

3. Compute the reduced ideal representative a of ao {x) ■ 

4-. If a factors over B asY\ p^^ then return the vector x — y. 
5. Otherwise, go back to Step 2. 

Proposition 6.4 (GRH). Let O be an order containing TL\k\; its discrimi- 
nant D is then at most A — 0{q). The algorithm above requires L{q)^^°^-^^ + 
ions to find a relation of O whose associated isogeny can 
be computed in time L{q)'^^-^°^^\ 

Proof. Step 4 consists in testing the smoothness of (the norm of) a; Lenstra, Pila, 
and Pomerance [121 Corollary 1.2] proved this requires exp ^log^^"^^"^^^ A*"^ log^ q 

operations, that is, L{q)°^^'> since N — L{qY . The probability that this factoriza- 
tion is successful, in other words, that the norm of a is iV-smooth is 
provided that it behaves as a random integer; this follows directly from combining 
the corollary above with [THl Proposition 4.4]; see also [S]. The relation involves 
o(log''+2+'= q) ideals of norm up to L{q)^, whence the time bound for evaluating 
the associated isogeny by Proposition |4.4[ □ 

Hopefully, the relations we generate discriminate between orders with distinct 
class groups: 

Lemma 6.5 (GRH). Take any two orders O and C; a relation of O generated 
by the algorithm above has a probability [Ao ■ Ao H Ae)']~^ + o(l) of also holding 
m O'. 

Proof. This follows directly from \W, Lemma 2] adapted to the context of our 
algorithm, which proves the quasi-randomness of the relations it generates. □ 
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7 Orders from class groups 



Our proof of Proposition |5.2| now boils down to exhibiting the following. 

Algorithm 7.1. 

Input: An ordinary elliptic curve £/¥q and an order O 15 Z[7r]. 
Output: Whether O C Endf. 

1. Compute a set o/ 3 log log (7 relations ofO. 

2. If one does not hold in the isogeny graph, return false. 

3. Check whether O C Endf locally at 2 and 3,' if not, return false. 
4-. Return true. 



By Proposition 6.4 Step 1 requires L{q)^'^°^^^ + L{qy/'^^^^^°^-^'> operations 
to find relations whose associated isogenies are then evaluated by Step 2 in 
L{q)'^^^°^-^K To balance these quantities, we set z — l/2\/2 which gives an 
overall complexity of L(g)^/^+°(^). 



The correctness follows from Lemma 3^ and Theorem |3.1[ in that Steps 1 
and 2 determine whether C A-Ends', the pro bability of failure is at most 
(2 + o(l))-3i°siog9 = o(l/log^g), by Lemma [eis] applied to C = Endf. The 



proposition below argues that, combined with Step 3, this really determines 
whether O C End£. 

Proposition 7.2. Let O and O' he two orders in an imaginary quadratic field 
K . The lattice Kqi contains Kq if and only if the order O' contains O or: 

1. K = Q{V-^) and O' has conductor 2; 

2. K = Q(-\/— 3) and O' has conductor 2 or 3; 

3. The prime 2 splits in K and O' has index 2 in some order above O of odd 
conductor. 

Intuitively, this means that identifying orders by their class groups has a 
single blind spot locally at 2 and 3 where the two biggest orders cannot be 
distinguished; Step 3 is thus required in our algorithm to ensure it exactly 
determines the endomorphism ring even amongst those orders with identical 
class groups. This statement is a straightforward refinement of '2, Proposition 5]; 
we nevertheless give the proof below for completeness. 

Proof. Denote by So (resp. So') the set of primes £ that split into principal 
ideals in O (resp. C). Using relations formed of a single prime ideal, we see that 
Aq C Ao' implies So C Sq'- Now So (resp. So' ) is also the set of primes that 
split completely in the ring class field Lo of O (resp. Lo')- By Chebotarev's 
density theorem So Q So' thus implies Lo' ^ Lo which means that the class 
field theory conductor f{Lo'/K) oi Lo' divides f{Lo/K). 

This conductor f{Lo /K) is related to that fo of O as follows (see [5J Exer- 
cises 9.20-9.23]). 



fiLo/K) 




when K = and fo ^ 2, 

when K = Q{y/^) and /o = 2 or 3, 

when 2 splits in I'C and fo = '2u with u odd, 

otherwise. 
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Naturally, the same stands for O' . In the latter case, the fact that f{La/K) 
divides f{Lo'/K) implies that fo' divides fo, in other words O C C; the three 
other cases correspond, in order, to the exceptions listed in the proposition. □ 

Finally, let us address Step 3. To check whether O C Endf locally at some 
prime p, one uses a method of Kohel |12j known as "climbing the volcano" , which 
can be done in the traditional "blind" way by following three p-isogeny paths 
from £ and seeing which hits the "floor of rationality" first, or using the more 
advanced technique of [10 to directly determine the kernel of the ascending p- 
isogeny by pairing computations. Eventually, both methods return the valuation 
at p of the conductor of End £ by computing at most 0(valp [Ok ■ '^l'^]]) isogenies 
of degree p; since we use p = 2, 3, this takes polynomial time in logg. 
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